Here's why you should be paying attention to GDPR. And this will also certainly interest your investors and shareholders...
GDPR will transform your buisness
Compliance is finally catching up with the times and if you aren't already overseeing the necessary preparations, you shouldstart today. Even if you've remained largely unaffected by data protection laws thus far, you and your business will most definitely struggle if you wait any longer. The 261-page final draft of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC (Directive), was formally approved by the EU Parliament on April 14, 2016, and it needs to be taken seriously because it will transform your business at every level, including board level. It is expected to be published in the Official Journal of the European Union (EU) in June, and to enter into force 20 days later. A two-year transition period after that will see the GDPR officially adopted in roughly June 2018, with the force of law operating across all 27 EU states.
Privacy is about managing the threats as well as the opportunities. Businesses are eager to demonstrate that doing business is still secure in light of the recent wave of increasingly vicious cyber breaches - 55% of UK businesses have fallen victim in the last two years – but most businesses have no idea how vulnerable to attack they are. The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play within the rules. You will need to adapt to new ways of doing business. Fast.
It's your head on the chopping block now...
There is a lot to be gained by businesses from GDPR. It reduces 28 sets of different data protection laws to a single regulation, which will greatly reduce compliance costs, complexity, risk and uncertainty over reporting. This benefit also applies to companies based outside of the EU which operate in its markets. In giving citizens the rights to control their personal data, the directive hopes to see the EU become a haven for personal data, hopefully one that will directly influence data governance regimes in other parts of the world.
Boards will need to tread carefully in order to make the most of these new opportunities in a way that won't land them unincreasingly hot water. The new regulations will require businesses to carry out a host of changes but you'll need to playby the rules and learn how to effectively cover yourself. Cyber crime is becoming increasingly sophisticated and constantly evolving so patchworks of outdated security systems simply do not offer the sort of protection that WALLIX does.
GDPR allows any European data protection authority to take action against businesses, regardless of where in the world the business is based and the consequences are very real. The same top-line accountability will be in place, whether you are the CFO of a huge global brand or a local shopkeeper. It will be your head on the block if sensitive data finds itself in the wrong hands, even if the leak was the result of an innocent mistake by a temp or a third party service provider you have trusted for years. Before long, a security breach and a failure on your business's part to take the now vital steps to protect your data won’t result in a mere slap on the wrist; it will result in directors behind bars.
These increased compliance requirements also come hand in hand with heavy financial penalties of up to €20m or 4% of annual worldwide turnover (whichever is greater). “GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,” said Ross McKean, a partner at Olswang law firm, and you only have two years to get your house in order. “This is not a compliance or legal challenge; it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information,” he said.
GDPR will also force the ICO to grow larger and more frightening teeth. Prosecution and fines will rise suddenly and impact all, and not just the big names that we've seen in the media thus far. "If organisations get too excited about the opportunities and don’t manage their way through regulation, they are not doing anyone any favours. There are ways to go after the opportunities safely, and if you don’t do that you are going to be in trouble,” said ICO Commissioner Christopher Graham. Serious enforcement and serious consequences mean that regardless of size, all companies and their boards should now be paying careful attention, because their investors and shareholders will soon be asking a lot of questions. They will expect to be informed of the measures that your business plans to take, so though you may not yet have a thorough knowledge of the technical inner workings of your company, you will need to.
How to avoid your business becoming just another statistic...
2018 will arrive a lot sooner than you think, and recent security breaches like Morrison's should serve as a lesson to be learned by all. The reputational and financial damage the company suffered as a result of their 2014 security breach - 6,000 employees took legal action against them - would be far, far worse with the new GDPR in place. "The overall approach by organisations to information security needs to be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness,” says Alan Calder, CEO of IT Governance. You need to begin preparations immediately and review your business practices, from governance, control, organisation and processes, to sourcing and technology. According to PwC’s Stewart Room, your GDPR-compliant strategy and approach will need to encompass a new compliance journey, a new transparency framework and a new enforcement, sanctions and remedies framework.
Your HR and marketing departments will also feel the impact – GDPR’s Article 37 is of major importance and states that you will likely have to hire a Data Protection Officer (DPO) who understands how to handle data (including that used for marketing purposes) and assess risks, for regulatory compliance, staff training, supervising etc. According to a study by the International Association of Privacy Professionals (IAPP), the staffing impact will be dramatic, with Europe requiring 28,000 DPO's.
WALLIX’s WAB Suite protects your exposed admin passwords (what hackers look for to gain access to your systems and data) and lets you control, oversee, monitor and record administrator sessions across multiple systems. It ensures absolute compliance with the new standards and builds a policy around your administrator accounts. WALLIX's commitment and expertise in data protection against the ever-evolving range of cyber security threats is unparalleled and if you’re audited before, during or after a security breach, you can rest assured that you won’t be in any trouble with the EU Commission when Spring 2018 arrives. Two years may sound like you've no cause for panic but once you realise the scale of the changes required within your walls in order to remain compliant with the new regulations, you'll thank us. Don't let yourself and your business be made an example of.